Question 272503 in Amazon Web Sevices Question posted in
The official Amazon Web Services documentation can be found here.

Amazon web services – AWS ECS Exec: Cannot start shell on Fargate

I’ve been following this tutorial:
https://www.youtube.com/watch?v=wNN5N1_ZTN4

First, I’ve confirmed that the user I’m connecting with in AWS CLI has the following permission policy:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "ecs:ExecuteCommand",
            "ecs:DescribeTasks",
            "ecs:UpdateService",
            "iam:PassRole"
        ],
        "Resource": "*"
    }
]

}

Next, I’ve confirmed that the task role being used by the task has this permission policy:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "ssmmessages:CreateControlChannel",
            "ssmmessages:CreateDataChannel",
            "ssmmessages:OpenControlChannel",
            "ssmmessages:OpenDataChannel"
        ],
        "Resource": "*"
    }
]

}

When I run the describe-tasks command on the task, "enableExecuteCommand" is set to true every time:
aws ecs describe-tasks –cluster -cluster-name –tasks task-id

Regardless of this, whenever I try opening a shell session via the following command:
aws ecs execute-command –region us-east-1 –cluster cluster-name –container container-name –task task-id –command "/bin/sh" –interactive

I get the following:
An error occurred (InvalidParameterException) when calling the ExecuteCommand operation: The execute command failed because execute command was not enabled when the task was run or the execute command agent isn’t running. Wait and try again or run a new task with execute command enabled and try again.

I’ve been all over Stack Overflow and the AWS docs and everything is suggesting confirming the things I’ve already confirmed above. Where else should I look or are any of these settings incorrect on the policies?

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    Please disregard, very noob problem. The container I'm trying to SSH into is stuck in Pending status. I had thought it was possible to ECS Exec into it to see why it won't fully start up, but just now found it has to be already running. I can successfully ECS exec into Running containers, as advertised.


  2. 0

    You need to verify if Amazon ECS ExecuteCommand is enabled on the Amazon ECS Service/Task using the CLI command:

    aws ecs describe-services --region <region> --cluster <cluster-name> --services <service-name>

    You should see enableExecuteCommand present in the output and its value set to true indicating that the Amazon ECS Service is enabled with this feature.
    You can enable the feature by updating the Amazon ECS Service using the following CLI command:

    aws ecs update-service --cluster <cluster-name> --service <service-name> --region <region> --enable-execute-command

    Note that the Amazon ECS Tasks need to be in launch state before you can ECS Exec into the Amazon ECS Task

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search